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Abstract 


This  report  critically  examines  existing  concepts  of  risk  and  offers  recommendations  for 
improving  the  definition  of  risk  and  other  risk-related  terms.  The  author  highlights  the  fact  that 
the  concept  of  risk  is  problematic  because  it  is  ambiguous  and  vague.  In  the  vernacular,  risk  has 
multiple  meanings  including  (a)  risk  as  potential  loss,  (b)  risk  as  a  probability  of  a  negative  event 
occurring,  and  (c)  risk  as  variability,  volatility,  or  uncertainty  regarding  events  in  the  future.  In 
addition,  many  organisational  definitions  of  risk  define  the  concept  in  terms  of  an  integration  of 
the  probability  of  a  threat  and  the  severity  of  its  potential  consequences.  The  author  examines  the 
definition  of  risk  promulgated  by  (a)  the  Government  of  Canada  through  the  Treasury  Board 
Secretariat  in  its  2001  Integrated  Risk  Management  Framework,  (b)  the  Department  of  National 
Defence  and  Canadian  Forces  (DND/CF)  through  the  2002  Joint  Doctrine  on  Risk  Management 
for  CF  Operations  and  the  2005  Integrated  Risk  Management  Guideline  and  Policy  documents, 
and  (c)  the  Canadian  Standards  Association  (CSA)  and  the  International  Organization  for 
Standardization  and  International  Electrotechnical  Commission  (ISO/IEC).  The  report  concludes 
with  recommendations  for  the  definition  of  risk,  expected  utility,  and  uncertainty,  which  the 
author  proposes  form  a  set  of  concepts  that  can  contribute  to  effective  decision  making  in  defence 
and  security  contexts. 


Resume 


Ce  rapport  examine  d’un  ceil  critique  les  concepts  du  risque  actuels  et  presente  des 
recommandations  afin  d’ameliorer  la  definition  du  risque  et  d’autres  termes  lies  aux  risques. 
L’auteur  souligne  le  fait  que  le  concept  du  risque  est  problematique  parce  qu’il  est  ambigu  et 
vague.  Dans  le  langage  quotidien,  le  risque  a  de  multiples  significations  :  (a)  le  risque  comme  la 
perte  possible;  (b)  le  risque  comme  la  probabilite  d’un  resultat  negatif;  (c)  le  risque  comme  la 
variabilite,  la  volatilite  ou  F incertitude  a  l’egard  de  cas  fiiturs.  De  plus,  de  nombreuses  definitions 
organisationnelles  du  risque  definissent  le  concept  selon  1’ integration  de  la  probabilite  d’une 
menace  et  de  la  gravite  de  ses  repercussions  possibles.  L’auteur  examine  la  definition  du  risque 
publiee  par  (a)  le  gouvemement  du  Canada  dans  le  Cadre  de  gestion  integree  du  risque  de  2001 
par  le  Secretariat  du  Conseil  du  Tresor  du  Canada,  (b)  de  la  doctrine  interarmees  sur  la  gestion  du 
risque  pour  les  operations  des  FC  de  2002  et  les  documents  de  politique  et  les  directives  de 
l’integration  de  la  gestion  du  risque  de  2005  du  ministere  de  la  Defense  nationale  et  des  Forces 
canadiennes  et  (c)  de  TAssociation  canadienne  de  normalisation  (CSA)  et  TOrganisation 
intemationale  de  normalisation  (ISO)  et  la  Commission  electrotechnique  intemationale  (CEI).  La 
conclusion  du  rapport  presente  des  recommandations  pour  la  definition  du  risque,  la  fonction 
d’utilite,  et  Tincertitude,  pour  lesquelles  1’ auteur  propose  un  ensemble  de  concepts  qui  favorisent 
un  processus  efficace  de  prise  de  decision  dans  des  contextes  de  defense  et  de  securite. 
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Executive  summary 


Toward  a  concept  of  risk  for  effective  military  decision  making 

David  R.  Mandel;  DRDC  Toronto  TR  2007-124;  Defence  R&D  Canada  -  Toronto; 

December  2007. 

This  report  critically  examines  existing  concepts  of  risk  and  offers  recommendations  for 
improving  the  definition  of  risk  and  other  risk-related  terms.  The  author  highlights  the  fact  that 
the  concept  of  risk  is  problematic  because  it  is  ambiguous  and  vague.  In  the  vernacular,  risk  has 
multiple  meanings  including  (a)  risk  as  potential  loss,  (b)  risk  as  a  probability  of  a  negative  event 
occurring,  and  (c)  risk  as  variability,  volatility,  or  uncertainty  regarding  events  in  the  future.  In 
addition,  many  organisational  concepts  of  risk  define  it  in  terms  of  an  integration  of  the 
probability  of  a  threat  and  the  severity  of  the  potential  consequences  of  that  threat. 

The  author  specifically  examines  the  definition  of  risk  promulgated  by  (a)  the  Government  of 
Canada  through  the  Treasury  Board  Secretariat  in  its  2001  Integrated  Risk  Management 
Framework,  (b)  the  Department  of  National  Defence  and  Canadian  Forces  (DND/CF)  through  the 
2002  Joint  Doctrine  on  Risk  Management  for  CF  Operations  and  the  2005  Integrated  Risk 
Management  Guideline  and  Policy  documents,  and  (c)  the  Canadian  Standards  Association 
(CSA)  and  the  International  Organization  for  Standardization  and  International  Electrotechnical 
Commission  (ISO/IEC).  The  definition  of  risk  provided  by  the  Integrated  Risk  Management 
Framework,  which  the  Department  of  National  Defence  adopted  in  its  2005  Integrated  Risk 
Management  Guideline  and  Policy  documents,  is  judged  to  be  problematic  because  it  conflates 
two  distinct  connotations  of  risk — risk  as  uncertainty  about  future  events  and  risk  as  the 
integration  of  threat  probability  and  consequence  severity.  The  author  proposes  that  the  definition 
of  risk  provided  by  the  joint  doctrine  on  risk  management  in  CF  operations  is  less  ambiguous,  but 
still  vague,  as  are  the  definitions  provided  by  both  the  CSA  and  the  ISO/IEC  standards. 

The  report  concludes  with  recommendations  for  the  definition  of  risk,  expected  utility,  and 
uncertainty,  which  the  author  proposes  form  a  set  of  concepts  that  can  contribute  to  effective 
decision  making  in  defence  and  security  contexts.  Risk  is  defined  as  “the  expected  loss  associated 
with  an  event.  It  is  measured  by  combining  the  magnitudes  and  probabilities  of  all  of  the  possible 
negative  consequences  of  the  event.”  Expected  utility  refers  to  the  expected  value  of  an  event.  It 
is  measured  by  combining  the  signed  magnitudes  and  probabilities  of  all  of  the  possible 
consequences  of  the  event.  Thus,  in  contrast  to  risk,  expected  utility  takes  into  account  both 
positive  and  negative  expected  outcomes.  Uncertainty  refers  to  the  degree  of  variability  in  the 
possible  values  associated  with  an  event.  It  is  proposed  that  these  three  definitions  (risk, 
expected  utility,  and  uncertainty)  cover  most  of  the  interpretations  in  which  risk  has  been 
used  in  government  and  defence  policies  and  military  doctrine,  while  using  distinct,  but 
accessible,  terminology. 


DRDC  Toronto  TR  2007-124 


Sommaire 


Toward  a  concept  of  risk  for  effective  military  decision  making 

David  R.  Mandel;  DRDC  Toronto  TR  2007-124;  R  &  D  pour  la  defense  Canada  - 

Toronto;  Decembre  2007. 

Ce  rapport  examine  d’un  ceil  critique  les  concepts  du  risque  actuels  et  presente  des 
recommandations  afm  d’ameliorer  la  definition  du  risque  et  d’autres  termes  lies  aux  risques. 
L’auteur  souligne  le  fait  que  le  concept  du  risque  est  problematique  parce  qu’il  est  ambigu  et 
vague.  Dans  le  langage  quotidien,  le  risque  a  de  multiples  significations  :  (a)  le  risque  comme  la 
perte  possible;  (b)  le  risque  comme  la  probabilite  d’un  resultat  negatif;  (c)  le  risque  comme  la 
variabilite,  la  volatilite  ou  f  incertitude  a  l’egard  de  cas  futurs.  De  plus,  de  nombreuses  definitions 
organisationnelles  du  risque  definissent  le  concept  selon  1’ integration  de  la  probabilite  d’une 
menace  et  de  la  gravite  de  ses  repercussions  possibles. 

L’auteur  examine  particulierement  la  definition  du  risque  publiee  par  (a)  le  gouvemement  du 
Canada  dans  le  Cadre  de  gestion  integree  du  risque  de  2001  par  le  Secretariat  du  Conseil  du 
Tresor  du  Canada,  (b)  de  la  doctrine  interarmees  sur  la  gestion  du  risque  pour  les  operations  des 
FC  de  2002  et  les  documents  de  politique  et  les  directives  de  1’ integration  de  la  gestion  du  risque 
de  2005  du  ministere  de  la  Defense  nationale  et  des  Forces  canadiennes  et  (c)  de  l’Association 
canadienne  de  normalisation  (CSA)  et  l’Organisation  intemationale  de  normalisation  (ISO)  et  la 
Commission  electrotechnique  intemationale  (CEI).  La  definition  du  risque  foumie  dans  le  Cadre 
de  gestion  integree  du  risque,  que  le  ministere  de  la  Defense  nationale  a  ajoute  aux  documents  de 
politique  et  aux  directives  de  gestion  integree  du  risque  de  2005,  est  jugee  problematique  parce 
qu’elle  reunie  deux  connotations  distinctes  du  risque  :  le  risque  comme  incertitude  par  rapport 
aux  cas  futurs  et  le  risque  comme  l’integration  de  la  possibilite  d’une  menace  et  de  la  gravite  des 
repercussions.  L’auteur  suggere  que  la  definition  du  risque  fournie  dans  la  doctrine  interarmees 
sur  la  gestion  du  risque  pour  les  operations  des  FC  est  moins  ambigiie,  mais  encore  vague, 
comme  le  sont  les  definitions  foumies  dans  les  normes  de  la  CSA  et  de  1TSO/CEI. 

La  conclusion  du  rapport  presente  des  recommandations  pour  la  definition  du  risque,  la  fonction 
d’utilite,  et  1’ incertitude,  pour  lesquelles  l’auteur  propose  un  ensemble  de  concepts  qui  favorisent 
un  processus  efficace  de  prise  de  decision  dans  des  contextes  de  defense  et  de  securite.  Le  risque 
est  defini  comme  «  la  perte  prevue  associee  a  un  cas.  II  est  evalue  en  combinant  F importance  et 
les  probabilites  de  toutes  les  repercussions  negatives  possibles  d’un  cas  ».  La  fonction  d’utilite 
designe  la  valeur  prevue  d’un  cas.  Elle  est  evaluee  en  combinant  l’importance  et  les  possibilites 
approuvees  de  toutes  les  repercussions  possibles  d’un  cas.  Alors,  par  rapport  au  risque,  la  fonction 
d’utilite  tient  compte  des  resultats  positifs  et  negatifs  prevus.  L’incertitude  designe  le  degre  de 
variabilite  des  valeurs  possibles  associees  a  un  cas.  On  propose  que  ces  trois  definitions  (risque, 
fonction  d’utilite  et  incertitude)  tiennent  compte  de  la  majorite  des  interpretations  dans  lesquelles 
le  risque  a  ete  utilise  dans  le  contexte  du  gouvemement  et  de  la  doctrine  militaire  et  des  politiques 
de  defense,  tout  en  utilisant  une  terminologie  distincte  et  accessible. 
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Introduction 


Nowadays,  few  would  challenge  the  notion  that  effectively  managing  risk  is  a  fundamental 
requirement  for  making  sound  decisions.  The  Government  of  Canada  (GoC)  reflects  this  view 
through  its  promulgation  of  integrated  risk  management  (IRM)  as  a  core  concept  designed  to 
improve  the  effectiveness  of  organizational  decision  making.  In  1998,  The  Privy  Council  Office 
convened  a  working  group  of  Assistant  Deputy  Ministers  to  consider  risk  management  issues  in 
the  public  policy  domain.  In  2000,  this  group  published  a  report  recommending  the  development 
of  a  government  risk  management  framework  [1].  A  document  expressing  a  commitment  to 
developing  an  IRM  framework  was  also  tabled  in  Parliament  [2].  Affirming  this  commitment,  the 
Treasury  Board  of  Canada  Secretariat  published  the  Integrated  Risk  Management  Framework 
(IRMF)  in  2001,  which  it  describes  as  a  practical  guide  designed  to  assist  public  service 
employees  in  their  decision  making  [3]. 

The  IRMF  is  a  government-wide  policy,  applicable  to  both  the  Department  of  National  Defence 
and  the  Canadian  Forces  (DND/CF).  In  response  to  the  GoC’s  objective  of  promulgating  the 
IRMF  throughout  government,  the  DND/CF  began  developing  a  framework  for  Integrated 
Strategic  Risk  Management  in  Defence  (ISRM).  In  April  2001,  the  VCDS,  Vice-Admiral  Garnett, 
introduced  the  concept  of  ISRM: 

It  represents  the  Department’s  first  steps  in  defining  coiporate  strategic  risk  and  how  it  is 
managed.  It  is  intended  to  compliment  the  Treasury  Board’s  initiative  in  producing  the 
Integrated  Risk  Management  Framework  and  to  suggest  risk  management  actions  and 
methods  that  will  support  Defence  objectives  [4], 

However,  a  2004  Chief  Review  Services  IRM  audit  of  the  DND/CF  concluded  that  “no 
commonly  accepted  risk  process  is  evident  in  the  DND/CF”  [5].  Moreover,  the  audit  report  stated 
that  “outside  of  areas  where  risk  management  is  traditionally  used  in  the  DND/CF,  little 
understanding  or  articulation  of  the  concept  of  IRM  -  and  how  it  needs  to  be  integrated  as  part  of 
normal,  day-to-day  planning,  decision-making  and  performance  management  -  is  evident”  [6].  In 
October  2005,  the  DND/CF  produced  an  IRM  policy  statement  [7]  and  IRM  guidelines  [8]  that, 
together,  are  geared  toward  harmonizing  risk  management  policy  and  practice  with  the  IRMF. 
According  to  the  policy  statement,  “DND  and  the  CF  will  adopt  Integrated  Risk  Management  as 
defined  by  Treasury  Board  and  used  within  the  GoC.  Furthermore,  the  risk  management 
methodology  will  be  incorporated  into  our  business  planning  and  performance  management 
processes;  a  separate  integrated  risk  management  framework  will  not  be  created”  [9]. 

Given  that  the  DND/CF  has  explicitly  expressed  its  commitment  to  adhere  to  the  IRMF  and, 
moreover,  given  that  the  GoC  will  continue  to  evaluate  it  in  terms  of  its  compliance  with  the 
IRMF,  it  is  important  to  examine  the  concept  of  risk  both  as  defined  by  the  IRMF  and  the 
DND/CF.  In  the  present  article,  I  examine  the  risk  concept  in  some  detail  as  it  is  more  generally 
defined  and  also  as  it  is  specifically  defined  within  the  IRMF,  DND/CF  IRM  policy  and 
guidelines,  and  DND/CF  doctrine.  This  examination  reveals  some  of  the  troubling  vagaries  and 
ambiguities  inherent  in  the  concept  of  risk.  The  article  concludes  by  offering  some 
recommendations  for  standardizing  the  usage  of  risk  and  risk-related  concepts  along  sound 
connotative  lines;  namely,  lines  intended  to  support  effective  organizational  decision  making  both 
within  military  contexts  and  within  the  wider  governmental  sphere. 
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The  Integrated  Risk  Management  Framework 


To  begin  with,  consider  the  IRMF  definition  of  IRM  itself,  and  how  it  is  meant  to  differ  from 
“plain  old”  risk  management.  According  to  the  IRMF, 

Integrated  risk  management  is  a  continuous,  proactive  and  systematic  process  to 
understand,  manage  and  communicate  risk  from  an  organization-wide  perspective.  It  is 
about  making  strategic  decisions  that  contribute  to  the  achievement  of  an  organization’s 
overall  corporate  objectives”  [10], 

The  IRMF  distinguishes  IRM  from  risk  management,  which  it  defines  as  “a  systematic  approach 
to  setting  the  best  course  of  action  under  uncertainty  by  identifying,  assessing,  understanding, 
acting  on  and  communicating  risk  issues”  [11].  The  distinction  reflects  the  view  of  GoC  policy 
makers  that  even  effective  risk  management  does  not  go  far  enough  to  ensure  organization-wide 
success  in  a  world  in  which  organizations  must  often  respond  simultaneously  and  rapidly  to  a 
diverse  array  of  challenges.  Rather,  according  to  this  viewpoint,  strategic  effectiveness  requires 
management  to  proactively  promulgate  a  “risk  management  culture  [that]  supports  the  overall 
vision,  mission  and  objectives  of  an  organization”  [12].  In  this  culture,  decision  makers  across  all 
levels  of  an  organization  are  explicitly  encouraged  to  develop  a  common  understanding  of  the 
challenges  and  opportunities  they  face  in  terms  of  risk,  and  to  communicate  risk-relevant 
information  horizontally  as  well  as  vertically  within  the  organization.  IRM  is  thus  intended  to  go 
beyond  the  development  of  stove-pipe  procedures  for  handling  risk  and  is  aimed  at  cultivating  an 
organizational  culture  in  which  its  members  are  deeply  attuned  to  the  concept  of  risk  and  in  which 
they  routinely  and  actively  perceive,  assess,  respond  to,  and  communicate  information  about  risks 
within  their  operational  environments. 

Regardless  of  what  the  real  or  anticipated  differences  between  risk  management  and  IRM  may  be, 
both  share  a  fundamental  commonalty;  namely,  that  for  either  type  of  policy  or  practice  to 
support  effective  decision  making  it  must  begin  with  a  cogent  understanding  of  what  the  term  risk 
means.  At  first  glance,  the  task  of  conceptualizing  risk  may  appear  trivial.  After  all,  given  that 
most  people  seem  to  have  a  fairly  good  idea  of  what  they  mean  by  risk,  surely  “the  experts” 
tasked  with  one  or  more  of  the  various  aspects  of  risk  management  must  know  what  they  mean  by 
risk.  Moreover,  these  experts  must  largely  agree  on  a  standard  definition  of  risk.  Unfortunately, 
these  “reasonable  assumptions”  need  not  be  true.  And,  in  fact,  as  we  shall  see,  the  concept  of  risk 
is  mired  in  vagueness  and  ambiguity,  which  threatens  to  undermine  its  utility  to  decision  makers. 
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What’s  wrong  with  risk ? 


The  key  problem  with  the  term  risk,  as  many  scholars  have  noted,  is  that  it  has  too  many 
connotations,  some  of  which  are  fairly  vague  [13,  14].  When  risk  is  defined  more  precisely,  it 
becomes  evident  that  there  are  already  other  terms  that  mean  the  same  thing.  Therefore,  decision 
makers  are  left  with  a  term  that  is  either  imprecise  or  superfluous.  Indeed,  as  one  economist 
boldly  put  it, 

“Risk” — interpreted  to  subsume  all  cognate  terms  and  expressions  such  as  risk 
assessment,  risk  perception,  risk  factors,  acceptable  risk,  etc. — should  be  abandoned  by 
everyone  interested  in  improving  public  or  personal  decisions.  Its  multiple,  confusing  and 
ambiguous  usages  persistently  interfere  with  the  distinct  tasks  of  identifying  and 
evaluating  knowledge  and  evidence  relevant  to  the  decision  on  the  one  hand  and  eliciting 
and  processing  value  judgments  relevant  to  it  on  the  other,  as  well  as  making  it  much 
more  difficult  for  the  necessary  integration  of  these  two  distinct  types  of  inputs  to  be 
achieved  in  a  coherent  and  transparent  way”  [15]. 

If  this  assessment  is  correct,  it  would  be  reasonable  to  ask  why  government  policy  makers  should 
bother  to  define  the  concept  of  risk  at  all.  Indeed,  the  preceding  assessment  suggests  that  they 
would  be  better  off  advocating  an  all-out  ban  on  the  use  of  this  four-letter  word  rather  than 
promoting  a  risk  management  culture.  Although  the  charge  of  ambiguity  against  the  term  risk  is 
in  fact  correct,  banning  the  use  of  this  term  is  not  a  realistic  option  at  this  time.  Several 
government  policies  are  currently  formulated  in  the  language  of  risk.  That  cannot  be  changed 
overnight  and  probably  will  not  undergo  fundamental  change  for  years,  if  not  decades,  to  come. 
Indeed,  at  present,  we  are  witnessing  an  increase  in  the  use  of  the  risk  concept,  as  the  IRMF 
exemplifies. 

More  significantly,  and  perhaps  reflective  of  why  we  are  in  the  current  state,  is  that  fact  that  the 
concept  of  risk  has  tremendous  psychological  appeal.  Part  of  that  appeal  likely  stems  from  the 
fact  that  risk  is  strongly  associated  with  attention-grabbing  threats  and  losses.  Bad  news  usually 
headlines  because  it  captures  attention  and  generates  interest.  The  same  is  true  for  potential  bad 
news — namely,  risks.  Another  part  of  the  appeal  of  the  risk  concept  is  that  most  people  have  an 
intuitive  notion  of  what  risk  is,  however  imprecise  that  notion  may  be.  Thus,  experts  can  talk 
about  risks  to  non-experts  in  ways  that  they  could  not  do  if  they  were  instead  talking 
about  a  more  clearly-defined,  but  less  well-known  or  “user-friendly,”  concept  such  as  expected 
utility  (a  concept  to  which  I  shall  return  later). 

Indeed,  the  many-to-many  mapping  of  meanings  in  the  context  of  risk  communication  may  be 
appealing  for  precisely  the  same  reason  that  it  can  be  ineffective:  Risk  communicators  can  feel  at 
least  somewhat  assured  that  their  audiences  are  understanding  their  message  (though  not 
necessarily  as  intended)  and  interpreters  of  risk  communications  can  feel  at  least  somewhat 
confident  that  they  know  what  the  communication  means  (even  when  they  are  wrong).  The 
comfort  of  this  sort  of  illusory  understanding  is,  however,  a  luxury  that  comes  at  a  real  cost:  In 
the  long  run,  miscommunication  regarding  outcomes,  probabilities,  and  uncertainties  will 
undermine  effective  decision  making  and  may  also  weaken  trust  between  the  communicating 
stakeholders.  Where  this  proves  to  be  unacceptable,  clarity  may  be  sought  through  creation  of  risk 
assessment  procedures.  Sometimes  this  helps,  but  “standard  procedures”  still  do  not  imply 
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standard  interpretations  of  those  procedures,  their  inputs,  or  their  outcomes.  In  the  end,  there  is  no 
substitute  for  conceptual  clarity.  Such  clarity  should  in  fact  provide  the  foundation  upon  which 
assessment  processes  are  built. 


4 


DRDC  Toronto  TR  2007-124 


Common  connotations  of  risk 


Risk  is  commonly  used  to  connote  at  least  four  distinct  meanings.  In  the  first  connotation,  risk  is 
synonymous  with  probability.  Let  us  call  this  the  R=P  definition.  For  instance,  a  cigarette  smoker 
named  Bob  might  assess  his  risk  of  dying  from  smoking  as  very  low,  by  which  he  means  that  the 
probability,  likelihood,  or  chance  of  that  outcome  happening  is  very  low.  This  definition 
illustrates  the  case  in  which  risk  is  superfluous,  for  if  one  merely  intended  to  refer  to  the 
probability  of  an  event,  X,  then  it  would  be  clearer  to  say  that  the  probability  of  X  is,  for  instance, 
“very  high”  than  to  say  that  the  risk  of  X  is  “very  high.”  Of  course,  the  term  probability  has 
multiple  meanings  too,  referring,  for  instance,  to  uncertainty  that  is  on  the  one  hand  subjective 
and  on  the  other  hand  objective  [16].  Even  so,  these  interpretations  tend  to  be  more  precise  and 
circumscribed  than  interpretations  of  risk. 

The  allure  of  using  risk  in  place  of  probability  appears  to  owe  much  to  the  tendency  for  people  to 
be  loss  averse.  Loss  aversion  refers  to  the  fact  that  the  negative  utility  or  displeasure  that  an 
individual  experiences  as  a  consequence  of  incurring  a  loss  tends  to  outweigh  the  positive  utility 
or  pleasure  that  the  same  individual  would  experience  as  a  consequence  of  securing  a  gain  of  the 
same  objective  magnitude  [17].  In  other  words,  losses  tend  to  loom  larger  than  gains  of 
corresponding  magnitude.  Loss  aversion  promotes  a  loss  focus  (and,  again,  this  is  partly,  and 
perhaps  largely,  why  bad  news  is  attention-grabbing).  Almost  invariably,  when  the  term  risk  is 
used  in  the  R=P  sense,  it  is  intended  to  highlight  that  a  focal  event  is  associated  with  possible,  and 
usually  significant,  loss.  Indeed,  it  would  be  odd  to  talk  about  the  risk  of  positive  events  unless 
there  was  also  some  chance  of  an  unwanted  negative  outcome  occurring.  For  instance,  although  it 
would  sound  quite  natural  to  refer  to  the  risk  of  gambling  on  the  lottery >,  which  may  conjure  up 
thoughts  of  losing  money  or  even  of  becoming  addicted  to  gambling,  it  would  sound  odd  to  refer 
to  the  risk  of  winning  the  lottery,  with  its  predominantly  positive  image.  This  negative  bias,  or 
focus  on  “failure  probabilities”  [18]  is  evident  even  in  international  standards.  For  instance,  the 
International  Organization  for  Standardization  and  the  International  Electrotechnical  Commission 
(ISO/IEC)  2002  guide  on  risk  management  vocabulary  notes  that  “the  term  ‘risk’  is  generally 
used  only  when  there  is  at  least  the  possibility  of  negative  consequences”  [19]. 

In  the  second  connotation,  which  we  may  call  the  R=L  definition,  risk  is  synonymous  with 
possible  loss.  For  instance,  referring  to  the  earlier  example,  Bob’s  wife  might  counter  Bob’s 
assertion  by  saying  that  a  premature  death  is  a  risk  that  her  husband  nevertheless  faces  if  he 
continues  to  smoke.  Here,  the  emphasis  is  on  the  possibility  of  loss  occurring  rather  than  on  the 
probability  of  loss.  Indeed,  the  use  of  the  term  risk  in  the  R=L  sense  need  not  imply  that  the 
probability  of  the  possible  loss  is  high,  but  rather  that  the  possibility  is  perceived  as  plausible. 
Such  expressions  are  especially  likely  when  the  possible  loss  is  of  great  concern  (e.g.,  losing 
one’s  or  a  loved  one’s  life).  Once  again,  one  could  simply  say  that  death  is  a  possible 
consequence  of  smoking,  which,  as  a  statement,  is  clearer  and  also  appears  to  be  less  emotionally 
stirring  than  saying  that  death  is  a  risk  of  smoking. 

The  third  connotation  of  risk,  which,  as  we  shall  see  later,  is  commonly  reflected  in  risk 
assessment  methods,  conveys  a  combination  of  the  probability  (P)  and  magnitude  (M)  of  loss 
associated  with  the  occurrence  of  a  particular  event  or  type  of  event.  Let  us  call  this  the  R=PM 
definition  of  risk.  For  example,  Bob’s  friend  might  buttress  the  wife’s  claim  by  adding  that  the 
scientific  evidence  unequivocally  indicates  that  smoking  risk  is  very  high.  Clearly,  the  friend  does 
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not  mean  that  the  probability  of  smoking  per  se  is  very  high.  Rather,  the  implied  meaning  is  that 
the  combination  of  the  magnitudes  or  impacts  of  the  possible  losses  associated  with  smoking  on 
the  one  hand  and  the  probabilities  of  the  possible  losses  on  the  other  hand  represents  a 
very  high  level  or  degree,  although  the  nature  of  how  probability  and  magnitude  is  scaled  and 
how  these  measures  are  combined  remains  implicit  in  the  risk  statement  and,  therefore,  it  remains 
vague  as  well. 

There  are  at  least  two  variants  of  this  third  connotation  of  risk  that  deserve  further  comment.  The 
first  extends  the  concept  to  both  the  positive  and  the  negative  outcomes  or  consequences  of  an 
event,  replacing  the  univalent  concept  of  loss  with  the  bivalent  concept  of  utility.  In  this  broader 
sense,  risk  is  akin  to  an  event’s  expected  utility  (EU),  a  summation  of  the  possible  outcomes  of 
the  event  weighted  by  their  respective  probabilities  of  occurrence.  Accordingly,  let  us  call  this 
variant  the  R=EU  definition  of  risk. 

The  second  variant  applies  the  concept  of  probability  to  the  event,  but  applies  the  concept  of 
magnitude  to  the  expected  consequence  of  the  event.  For  instance,  according  to  the  ISO/IEC 
guide  risk  is  defined  as  “[the]  combination  of  the  probability  of  an  event  and  its  consequences” 
[20].  This  standard  definition  still  requires  a  fair  degree  of  unpacking.  First,  probabilities  and 
consequences  per  se  cannot  be  combined;  rather,  it  is  their  estimates  that  may  be  combined  by 
risk  assessors.  Second,  the  unpacked  expression  “estimate  of  the  consequences”  is  still  vague: 
does  this  refer  to  a  probability  estimate  or  a  magnitude  estimate?  Given  that  most  risk  assessment 
procedures  attempt  to  combine  the  probabilities  and  magnitudes  of  an  event’s  possible  negative 
consequences,  let  us  assume  it  refers  to  the  latter;  namely,  an  estimate  of  the  magnitude  of  the 
consequences.  According  to  the  ISO/IEC  standard,  then,  risk  refers  to  the  combination  of  the 
probability  estimate  of  an  event  and  the  signed  estimate  of  the  magnitude  of  the  event’s 
consequences.  Let  us  refer  to  this  definition  as  R=PM  to  highlight  that  the  two  estimates  apply  to 
branches  at  different  levels  of  a  fault  tree  [21],  The  R=PM  definition  reflects  another  type  of 
conceptual  opaqueness;  namely,  one  having  to  do  with  a  failure  to  clearly  specify  the  event  to 
which  an  estimate  is  meant  to  apply  [22],  This  definition  glosses  over  the  fact  that  an  event  may 
result  in  multiple  possible  outcomes,  each  of  which  has  a  particular  likelihood  of  occurring.  The 
magnitude  estimates  of  these  possible  outcomes  should  be  combined  with  their  respective 
probability  estimates  before  integrating  the  derivative  estimate  with  the  prior  probability  of  the 
generating  event,  but  the  R=PM  connotation  of  risk  does  not  support  this  fundamental  decision- 
analytic  process. 

In  the  fourth  connotation  of  risk,  which  we  may  call  the  R=V  definition,  risk  refers  to  the  degree 
of  variability  among  the  possible  outcomes  associated  with  an  event.  For  example,  financial 
advisors  usually  ask  their  clients  how  much  risk  or  uncertainty  they  are  willing  to  tolerate  before 
recommending  an  investment  portfolio.  By  risk,  these  advisors  are  referring  to  the  degree  of 
volatility  in  the  value  of  an  investment  instrument  in  the  past  that  their  clients  are  willing  to 
accept.  Moreover,  because  the  direction  and  magnitude  of  fluctuations  in  an  instrument’s  value 
are  largely  unpredictable,  the  degree  of  volatility  tends  to  be  proportional  to  the  degree  of 
uncertainty  that  investors  will  face  in  knowing  what  the  fiiture  value  of  their  investment  in  that 
instrument  will  be.  The  question  of  risk  tolerance  posed  by  financial  advisors  to  clients  is 
ultimately  about  their  willingness  to  accept  such  uncertainty. 

Note  also  that  volatility  represents  variability  in  possible  outcomes  that  may  be  entirely  negative 
(i.e.,  losses),  entirely  positive  (i.e.,  gains),  or  a  mixture  of  losses  and  gains.  Often,  however,  the 
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term  risk  will  be  employed  only  if  there  is  a  perception  that  the  occurrence  of  negative  outcomes 
is  distinctly  possible.  Thus,  although  technically  a  gamble  that  offers  an  even  chance  of  winning 
either  $10  or  $20  is  risky  in  the  R=V  sense  (i.e.,  there  is  variability  in  the  possible  outcomes), 
many  people  would  not  think  of  it  as  such  because  all  of  the  possible  outcomes  constitute  positive 
events.  By  contrast,  it  would  be  normal  to  think  of  a  gamble  offering  an  even  chance  of  winning 
$10  or  losing  $8  as  risky,  even  though  the  expected  utility  is  positive,  because  there  is  the 
possibility  of  loss. 

The  multiple  meanings  of  risk  just  discussed  do  not  represent  an  exhaustive  list.  One  could  also 
point  to  the  fact  that  risk  may  be  used  as  a  noun  (e.g.,  “the  risk  to  our  mission  is  great”),  as  a  verb 
(“the  commander  risked  his  troops’  lives”),  as  an  adjective  (e.g.,  “he  chose  a  risky  course  of 
action”),  or  as  an  adverb  (e.g.,  “the  battalion  advanced  riskily  toward  the  frontline”).  However, 
the  definitions  I  have  highlighted  are  important  in  the  present  context  because  in  each  case  risk  is 
aligned  with  an  important  decision-analytic  notion.  Effective  decision  making  requires  that  these 
notions  should  not  be  confused,  but  use  of  the  term  risk  appears  to  increase  the  probability  of 
precisely  such  confusion.  That  is,  these  multiple  connotations  of  risk  invite  disagreement  between 
individuals,  organizations,  and  policy  statements  as  well  as  within  these  entities.  In  the  next 
section,  I  examine  the  definition  of  risk  outlined  in  the  IRMF  and  use  it  to  illustrate  the 
type  of  conceptual  incoherence  that  can  arise  (and  that  has  arisen)  within  and  across  statements 
about  risk  management. 
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The  concept  of  risk  in  the  IRMF 


The  IRMF  defines  risk  in  the  following  manner: 

Risk  refers  to  the  uncertainty  that  surrounds  future  events  and  outcomes.  It  is  the 
expression  of  the  likelihood  and  impact  of  an  event  with  the  potential  to  influence  the 
achievement  of  an  organization’s  objectives  [23]. 

This  definition  provides  a  good  example  of  the  ambiguity  and  vagueness  that  can  exist  within  a 
single  (but  important)  policy  document.  The  first  sentence  of  the  IRMF  definition  defines  risk  in 
R=V  terms.  The  greater  the  risk,  the  greater  will  be  the  “uncertainty”  or  the  variability  in  possible 
future  outcomes.  Nevertheless,  the  statement  fails  to  clarify  the  nature  of  uncertainty  that  is  to  be 
regarded  as  relevant  or  most  relevant.  For  instance,  imagine  that  a  possible  consequence  was 
bound  to  occur,  but  a  decision  maker  was  unaware  of  this  fact  and  unsure  of  what  might  happen. 
In  this  case,  the  consequence  may  be  regarded  as  entirely  certain  from  an  objective 
perspective  but  as  highly  uncertain  from  a  subjective  perspective.  The  IRMF  definition  offer  little 
guidance  on  how  different  sources  of  uncertainty  (e.g.,  subjective  vs.  objective)  ought  to  be 
weighted  or  combined. 

Whereas  the  first  sentence  illustrates  the  vagueness  of  the  IRMF  definition,  the  second  sentence, 
when  contrasted  with  the  first,  clearly  illustrates  that  the  definition  is  ambiguous  as  well,  since  it 
conveys  an  alternative  R=PM  concept  of  risk  in  which  likelihood  is  synonymous  with  probability, 
and  impact  is  used  as  a  shorthand  expression  of  the  relevant  outcome’s  magnitude.  It  remains 
unclear  in  this  second  definition  whether  only  negative  impacts  are  to  be  considered  or  whether 
positive  impacts  are  also  to  be  entered  into  the  calculation  of  risk.  This  lack  of  clarity,  in  itself, 
may  invite  confusion  given  that  the  R=PM  connotation  of  risk  usually  focuses  on  negative 
impacts  only,  whereas  the  valence-neutral  language  used  in  the  IRMF  would  seem  to  also  permit, 
if  not  encourage,  a  consideration  of  positive  impacts — in  other  words,  a  bivalent  R=EU  concept 
of  risk.  If  positive  impacts  were  to  be  considered,  however,  it  would  be  unclear  what  expressions 
like  “greater  risk”  or  “reduced  risk”  might  mean.  Indeed,  it  would  make  more  sense  under  such 
circumstances  simply  to  refer  to  the  expected  utility  of  an  act,  decision,  or  event  rather  than  to  its 
degree  of  risk. 

To  illustrate  the  confusion  that  could  easily  arise  from  the  IRMF  definition  of  risk,  consider  the 
following  example  involving  a  choice  between  two  alternative  courses  of  action  (COA),  which 
are  designed  to  save  600  civilians  who  face  imminent  death  in  a  war-tom  region:1 

If  COA  1  is  taken,  it  is  certain  that  200  civilians  would  be  saved  and  the 
remaining  400  civilians  would  die. 

If  COA  2  is  taken,  there  is  a  one-third  chance  that  all  600  civilians  would  be  saved  and  a 
two-thirds  chance  that  all  600  civilians  would  die. 


1  For  readers  interested  in  people’s  choice  selections  in  versions  of  this  problem,  see  David  R.  Mandel, 
“Gain-loss  framing  and  choice:  Separating  outcome  formulations  from  descriptor  formulations,” 
Organizational  Behavior  and  Human  Decision  Processes,  85(1),  56-76. 
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Putting  aside  the  important  question  of  which  COA  constitutes  the  best  option,  let  us  simply  ask 
which  one  is  the  riskiest?  If  risk  is  defined  in  R=V  terms,  then  COA  1  is  less  risky  than  COA  2 
because  there  is  no  outcome  variability  in  the  former  case  (i.e.,  there  is  only  one  possible 
outcome,  which  is  comprised  of  200  lives  saved  and  400  lives  lost)  and  the  maximum  possible 
outcome  variability  in  the  latter  case  (i.e.,  there  are  two  possible  outcomes,  one  representing  the 
best  possible  outcome — namely,  everyone  saved — and  the  other  representing  the  worst  possible 
outcome — namely,  everyone  dies).  From  this  definitional  standpoint,  COA  1  is  “risk  free” 
because  there  is  only  one  possible  outcome  associated  with  it.  Note,  however,  that  this  risk-free 
option  (from  an  R=V  standpoint)  involves  two-thirds  of  the  civilians  dying.  Thus,  in  spite  of  its 
complete  success  in  eliminating  R=V  risk,  COA  1  might  be  seen  as  entailing  an  unacceptable 
loss.  That  is,  it  might  be  too  risky  from  the  R=L  perspective. 

If,  however,  risk  is  treated  as  an  expression  of  the  summation  of  the  negative  impacts  of  a  given 
COA  weighted  by  their  probability  of  occurrence — namely,  in  R=PM  terms — then  both  options 
would  be  equally  “risky.”  This  can  be  verified  by  multiplying  the  negative  outcome  for  a  given 
COA  by  its  probability  of  occurrence: 

For  COA  1,  R=PM  =  1.0(-400)  =  -400. 

For  COA  2,  R=PM  =  0.67(-600)  =  -400. 

Similarly,  if  risk  were  to  be  interpreted  in  R=EU  terms,  once  again,  the  two  options  would  be 
equally  risky: 

For  COA  1,  R=EU  =  1.0(200)  +  1.0(-400)  =  -200. 

For  COA  2,  R=EU  =  0.33(600)  +  0.67(-600)  =  -200. 

Thus,  depending  on  how  the  IRMF  is  interpreted,  a  risk  assessor  could  very  reasonably  conclude 
that  COA  1  is  much  riskier  than  COA  2  (i.e.,  if  risk  means  R=V)  or  that  the  two  courses  of  action 
do  not  differ  at  all  in  terms  of  risk  (i.e.,  if  risk  means  R=PM  or  R=EU). 

Note  that,  in  the  preceding  example,  both  interpretations  of  the  relative  riskiness  of  the  two 
options  were  legitimate  given  the  manner  in  which  the  IRMF  defines  risk.  Thus,  the  ambiguity 
that  arose  in  that  example  did  not  stem  from  a  mistaken  translation  of  the  IRMF’s  definition  of 
risk;  rather,  it  arose  from  the  imprecision  of  the  definition  itself.  There  is  ample  evidence, 
however,  that  the  IRMF  definition  of  risk  is  also  prone  to  mistaken  translations.  For  example,  one 
Canadian  government  report  on  risk  management  learning  strategies  defines  risk  by  first  quoting 
the  IRMF  definition  of  risk.  In  the  following  sentence  of  that  report,  however,  the  authors 
conclude  that  “risk  in  this  sense  is  the  probability  that  a  future  event  -  either  good  or  bad  -  will 
occur”  [24].  Thus,  on  the  basis  of  the  IRMF’s  ambiguous  R=V  /  R=PM  /  R=EU  definition  of  risk, 
the  authors  conclude  that  risk  is  to  be  interpreted  in  the  R=P  sense! 

As  well,  consider  the  definition  of  risk  provided  in  a  2003  Health  Canada  report  entitled  “Strategy 
to  Implement  an  Integrated  Risk  Management  Framework  in  Health  Canada:” 

“Risk”  refers  to  the  uncertainty  that  surrounds  future  events  and  outcomes.  It  is  the  level 

of  exposure  to  uncertainties  that  an  organization  must  understand  and  effectively  manage. 
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Risk  is  the  expression  of  the  likelihood  of  a  future  event  occurring  as  well  as  its  potential 
to  influence  the  achievement  of  an  organization’s  objectives  [25]. 

The  first  of  these  three  sentences  conveys  the  R=V  connotation.  The  second  sentence  attempts  to 
set  the  R=V  definition  in  a  relevant  organizational  context.  The  third  sentence,  however,  diverges 
in  inteipretation  by  initially  defining  risk  in  R=P  terms.  Then,  somewhat  confusingly,  the  third 
sentence  ends  by  alluding  to  the  potential  to  influence  the  achievement  of  an  organization’s 
objectives  in  what  seems  to  mean  something  akin  to  “risk  is  the  probability  of  an  event  but  only 
for  events  that  matter  to  the  organization.”  These  examples  illustrate  the  ease  with  which  the  risk 
concept  can  be  applied  inconsistently  across  policy  statements,  even  in  cases  in  which  the  aim  is 
to  conform  to  a  single  framework. 
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The  concept  of  risk  in  the  DND/CF 


As  noted  earlier,  the  DND/CF  has  been  taking  steps  over  the  past  few  years  to  harmonize  its  risk 
management  policies  and  procedures  with  the  IRMF.  According  to  an  early  statement  in  2001, 
1SRM  “focuses  on  the  management  of  strategic  coiporate  risk.  Operations  risk  management  at  the 
strategic,  operational  and  tactical  levels  is  accomplished  through  the  operations  planning  process 
and  is  developed  and  perfected  through  operational  research,  lessons  learned  and  doctrine 
development”  [26].  This  suggests  that  efforts  to  harmonize  risk  management  practices  with  the 
IRMF  would  occur  mostly  on  the  DND  corporate  side  and  less  on  the  CF  operational  side. 
However,  the  2005  IRM  policy  statement  does  not  make  this  distinction  clear.  And,  in  what 
appears  to  be  a  reversal  of  the  earlier  ruling,  the  2005  IRM  guidelines  indicate  that  “they  are 
intended  to  be  generic  and  independent  of  any  specific  functional  application  (HR,  construction, 
capital  equipment  projects)  or  organizational  level  (strategic,  operational,  or  tactical)  to  ensure 
that  they  can  be  used  throughout  Defence”  [27].  At  present,  then,  the  extent  to  which  risk 
management  in  the  context  of  the  operations  planning  process  is  intended  to  adopt  IRMF- 
consistent  definitions  and  principles  remains  unclear. 

It  is  clear,  however,  that  multiple  definitions  of  risk  are  still  to  be  found  within  DND/CF  risk- 
management  documentation.  Not  surprisingly,  the  IRM  policy  statement  and  IRM  guidelines  both 
define  risk  in  the  same  manner  as  the  IRMF,2  thus  inheriting  the  conceptual  ambiguities  of  that 
definition  noted  earlier.  The  IRM  guidelines,  however,  indirectly  suggest  that  the  intent  is  to 
define  risk  in  R=PM  terms  because  the  risk  assessment  procedures  outlined  in  the  guidelines 
involve  prioritizing  risk  by  combining  likelihood  (i.e.,  probability)  and  impact  (i.e.,  magnitude), 
each  of  which  is  coded  on  5-point  scales  as  shown  in  Figure  1  [28]. 

These  procedures  share  much  in  common  with  those  outlined  in  the  DND/CF  doctrine.  In  2002, 
the  DND/CF  published  a  Joint  Doctrine  Manual  entitled  “Risk  Management  for  CF  Operations” 
in  which  risks  are  to  be  prioritized  using  a  matrix  as  shown  in  Figure  2  [29]. 


2  See  Annex  A  in  both  documents 
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Figure  1:  Risk  assessment  matrix  from  the  CF IRM  guidelines 
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Figure  2:  Risk  assessment  matrix  from  the  CF  joint  doctrine  manual  on  risk  management 
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In  Figure  2,  the  letters  L,  M,  H,  and  E  refer  to  risks  that  are  low,  medium,  high,  and  extremely 
high,  respectively.  Despite  the  differences  in  approach,  both  risk  assessment  matrices  are 
consistent  with  the  R=PM  definition  of  risk.  The  doctrine  manual,  however,  provides  a  definition 
of  risk  that  is  more  congruent  with  what  is  in  fact  measured.  It  defines  risk  as  “an  expression  of  a 
possible  loss  or  negative  mission  impact  stated  in  terms  of  probability  and  severity  of  an  event” 
[30]  and  then  later  defines  it  as  “[the]  chance  of  injury  or  loss  expressed  in  terms  of  probability 
and  severity”  [31].  Probability,  in  turn,  is  defined  as  “the  likelihood  that  an  event  will  occur,”  and 
severity  is  defined  as  “the  expected  consequence  of  an  event  in  terms  of  degree  of  injury,  property 
damage,  or  other  mission-impinging  factors  (loss  of  combat  power,  adverse  publicity,  etc.)  that 
could  occur”  [32], 

The  DND/CF  doctrine  defines  risk  in  relatively  unambiguous  terms.  It  clearly  states  that  risk 
applies  only  to  R=PM  assessments  of  possible  losses,  not  possible  gains,  thus  ruling  out  (for 
better  or  worse)  the  R=EU  interpretation.  And,  it  goes  on  to  provide  clear  definitions  of 
probability  and  severity  (i.e.,  M  in  the  R=PM  formulation).  In  short,  from  a  definitional 
standpoint,  the  DND/CF  doctrine  on  risk  management  is  much  clearer  than  the  IRMF.  The 
DND/CF  doctrinal  definition  of  risk  also  is  in  accordance  with  national  and  international 
standards.  According  to  the  Canadian  Standards  Association  (CSA)  1997  guide  on  risk 
management  for  decision  makers,  risk  is  defined  as  “the  chance  of  injury  or  loss  as  defined  as  a 
measure  of  the  probability  and  severity  of  an  adverse  effect  to  health,  property,  the  environment, 
or  other  things  of  value”  [33].  And,  as  noted  earlier,  the  ISO/IEC  defines  risk  as  “[the] 
combination  of  the  probability  of  an  event  and  its  consequences”  [34].  The  definition  of  risk  in 
the  DND/CF  doctrine  is  therefore  congruent  with  both  national  and  international  standards,  and  is 
indeed  more  so  than  that  offered  by  the  IRMF.  Nevertheless,  as  I  also  noted  earlier,  the  ISO/IEC 
standard  for  defining  risk  lends  itself  to  a  faulty  R=PM  interpretation,  and  consistency  with  this 
standard  should  not  necessarily  be  viewed  as  beneficial  for  decision  making. 
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Toward  a  concept  of  risk  for  effective  decision  making 


Ultimately,  organizations  attempt  to  manage  risk  in  the  hopes  of  making  satisfactory  decisions  at 
minimum  and  optimal  ones  at  best.  This  usually  means  trying  to  capitalize  on  opportunities  and 
maximize  gains,  while  trying  to  avoid  threats  and  minimize  costs  or  losses,  by  selecting  the 
alternative  from  a  set  of  options  that  maximizes  expected  utility,  subject  to  other  possible 
constraints  on  choice  selection,  some  of  which  may  be  voluntarily  imposed  (e.g.,  maxima  for 
expected  losses  or  outcome  variability,  minima  for  expected  gains)  and  others  of  which  may  be 
outside  of  the  decision  maker’s  control  (e.g.,  limited  resources  that  may  preclude  reaching  the 
best  decision  in  principle).  Techniques  for  improving  decision  making  should,  therefore,  help  the 
decision  maker  weight  and  combine  the  relevant  information  in  a  manner  that  lends  itself  toward 
achieving  that  goal,  bearing  in  mind  real  constraints.  Toward  that  end,  policy  makers  should 
strive  for  conceptual  clarity.  The  concepts  underlying  decision-analytic  techniques  should  be 
clearly  defined  and  unambiguous  so  that  decision  makers  and  other  stakeholders  will  not  only 
understand  what  they  themselves  mean  when  they  use  the  concept;  they  will  actually  share  the 
same  meaning.  We  have  seen  that  this  is  one  of  the  fundamental  problems  with  the  concept  of 
risk.  It  has  too  many  meanings,  many  of  which  are  vague. 

In  addition  to  being  unambiguous  and  precise,  concepts  that  support  decision  making  should  be 
general  enough  to  be  applicable  across  a  wide  range  of  organizational  contexts  and  decision¬ 
making  domains.  The  nature  of  the  attributes  that  define  the  options  under  consideration  may 
differ  from  one  context  to  another,  but  the  concepts  used  to  resolve  the  problem  of  which 
alternative  to  select  from  an  array  of  options  should  remain  invariant.  Furthermore,  aspects  of  a 
concept  that  may  limit  one’s  ability  to  generalize  the  concept  should  be  jettisoned  from  its  core 
definition.  This  is  especially  important  for  policies  that  are  meant  to  apply  across  a  diverse  set  of 
organizations,  such  as  the  IRMF  and  national  and  international  standards.  For  example,  the  CSA 
definition  of  risk  noted  earlier — namely,  “the  chance  of  injury  or  loss  as  defined  as  a  measure  of 
the  probability  and  severity  of  an  adverse  effect  to  health,  property,  the  environment,  or  other 
things  of  value” — could  be  improved  in  this  regard  simply  by  defining  R=PM  risk  as  follows: 

Definition  1:  Risk  refers  to  the  expected  loss  associated  with  an  event.  It  is  measured  by 
combining  the  magnitudes  and  probabilities  of  all  of  the  possible  negative  consequences 
of  the  event. 

There  is  no  need  to  bog  down  the  definition  by  referring  to  specific  types  of  possible  outcome, 
such  as  health,  property,  the  environment,  etc. 

Whereas  clarity,  lack  of  ambiguity,  and  wide  applicability  may  be  necessary  conditions  for 
successfully  defining  concepts  that  support  effective  decision  making,  they  are  certainly  not 
sufficient  in  this  regard.  A  concept  must  also  demonstrate  integrity  by  lending  itself  to  evaluation 
processes  that  support  effective  decision  making.  Take  the  aforementioned  ISO/IEC  definition  of 
risk;  it  does  a  fair  job  of  meeting  the  necessary  criteria  but  nevertheless  lacks  integrity  because  it 
easily  lends  itself  to  a  dubious  R=PM  interpretation.  Definition  1  avoids  this  dubious  connotation 
and  is  appropriate  if  a  decision  maker  wanted  to  assess  the  univalent  R=PM  concept  of  risk.  In 
many  instances,  however,  decision  makers  may  be  more  interested  in  considering  the  bivalent 
R=EU  concept  of  risk.  To  avoid  confusion  with  the  univalent  notion,  I  recommend  that  the 
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bivalent  concept  be  called  expected  utility,  which  is  indeed  what  it  represents,  and  defined  as 
follows: 


Definition  2\  Expected  utility  refers  to  the  expected  value  of  an  event.  It  is  measured  by 
combining  the  signed  magnitudes  and  probabilities  of  all  of  the  possible  consequences  of 
the  event. 

Whereas  Definition  1  retains  a  focus  on  the  negative  side  of  the  balance  sheet,  and  is  consistent 
with  the  common  usage  of  the  term  risk,  Definition  2  emphasizes  the  integration  of  both  positive 
and  negative  expected  outcomes.  Although  a  univalent  focus  on  loss  may  be  justified  in  some 
circumstances,  such  as  when  a  decision  to  pursue  a  particular  objective  has  already  been  made 
(e.g.,  an  operational  mission  has  been  deemed  necessary  and  now  steps  must  be  taken  to 
minimize  potential  loss),  as  a  general  rule  the  bivalent  notion  provides  a  more  complete  basis  for 
selecting  among  available  options  because  the  various  options  considered  by  a  decision  maker  are 
likely  to  vary  not  only  in  terms  of  their  possible  drawbacks  but  also  in  terms  of  their  possible 
strengths.  By  integrating  both  sides  of  the  balance  sheet,  the  option  that  maximizes  expected 
utility  should  be  more  transparent,  as  should  the  reasons  why.  This  fuller  integration  of  decision¬ 
relevant  information  is  advantageous  not  only  in  terms  of  optimizing  choice,  but  also  in  terms  of 
providing  greater  transparency  and  accountability  for  decision  making.  That  is,  it  should  be  easier 
for  policy  makers  to  justify,  and  for  citizens  to  understand,  why  a  given  choice  was  made  by  their 
government  when  that  decision  takes  account  of  both  the  expected  costs  and  benefits  and  does  so 
in  a  consistent  manner. 

Despite  the  important  difference  between  Definitions  1  and  2,  both  share  in  common  the  fact  that 
they  provide  a  measure  of  the  central  tendency  of  considered  options.  With  Definition  1,  the 
decision  maker  aims  to  minimize  that  value;  with  Definition  2,  the  aim  is  to  maximize  it.  But,  as 
the  comparison  of  options  in  the  rescue  operation  problem  discussed  earlier  revealed,  options  may 
have  similar  or  even  identical  central  tendencies  and,  yet,  different  greatly  in  their  variability. 
Without  a  measure  of  variability,  decision  makers  will  not  have  a  clear  sense  of  the  range  of 
possibilities  that  might  transpire  if  a  given  option  is  adopted.  Unfortunately,  current  operational 
definitions  of  risk  make  no  attempt  to  gauge  this  type  of  variability,  and  national  and  international 
standards  for  defining  risk  seem  to  ignore  the  issue  altogether.  In  order  to  keep  the  concept  of  risk 
from  meaning  too  many  things,  I  also  recommend  that  the  term  uncertainty  be  used  to  convey  the 
R=V  connotation;  this  may  be  defined  as  follows: 

Definition  3:  Uncertainty  refers  to  the  degree  of  variability  in  the  possible  values 
associated  with  an  event. 

Variability  would  normally  be  defined  relative  to  an  expected  value.  For  example,  it  may  be 
computed  as  the  mean  squared  deviation  of  possible  outcomes  from  the  expected  outcome.  In  the 
rescue  operation  problem  described  earlier,  uncertainty  computed  in  this  manner  would  have  a 
value  of  0  for  COA  1  since  the  only  possible  outcome  is  the  expected  outcome  (namely,  200  are 
saved  and  400  die).  By  contrast,  uncertainty  for  COA  2  would  have  a  value  equal  to  [(0  -  200)2  + 
(600  -  200)2]  h-  2  =  1,000.  Thus,  even  though  the  risk  (following  Definition  1)  and  expected 
utility  (following  Definition  2)  of  the  two  options  presented  in  this  problem  are  identical,  we  see 
that  the  uncertainty  associated  with  COA  2  is  much  greater  and  can  be  quantified. 
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Collectively,  Definitions  1  (risk),  2  (expected  utility),  and  3  (uncertainty)  cover  most  of  the 
interpretations  in  which  risk  has  been  used  in  government  and  defence  policies  and  military 
doctrine,  while  using  distinct,  but  accessible,  terminology.3  In  cases  in  which  the  term  risk  is  used 
to  refer  to  either  probability  or  loss,  efforts  should  be  taken  to  reframe  the  discussion  of  the 
relevant  events  using  the  more  transparent,  and  less  emotionally  evocative,  terms.  For  instance, 
instead  of  saying  that  there  is  a  10%  risk  of  mission  failure,  one  could  instead  say  that  there  is  a 
10%  probability  of  mission  failure.  In  this  manner,  policy  makers,  managers,  and  other  decision 
makers  can  begin  to  move  toward  standardizing  their  lexicon  of  terms,  while  differentiating 
concepts  that  are  each  important  for  reaching  effective  decisions. 


3  Note  that  the  risk-uncertainty  distinction  proposed  here  differs  from  the  sense  in  which  these  terms  have 
been  employed  in  the  decision  sciences.  In  much  of  the  academic  literature,  decisions  are  said  to  be  made 
under  conditions  of  risk  when  (a)  at  least  one  option  from  a  set  of  considered  options  has  multiple  and 
mutually  exclusive  possible  outcomes  associated  with  it  and  (b)  the  probabilities  of  all  possible  outcomes 
for  all  options  in  the  considered  set  are  known  a  priori.  Decisions  are  said  to  be  made  under  conditions  of 
uncertainty  when  condition  (a)  in  the  preceding  definition  is  met,  but  the  probability  of  at  least  some  of  the 
possible  outcomes  associated  with  one  or  more  of  the  considered  options  is  unknown  or  unknowable.  This 
distinction  traces  back  to  Frank  H.  Knight,  Risk,  Uncertainty,  and  Profit,  Boston,  M.A.:  Floughton  Mifflin, 
Co.,  1921,  available  at  [http://www.econlib.org/library/Knight/knRUPO.html]. 


16 


DRDC  Toronto  TR  2007-124 


References 


[1]  Canada,  Government  of,  Privy  Council  Office,  (2000)  Risk  Management  for  Canada  and 
Canadians:  Report  of  the  ADM  Working  Group  on  Risk  Management.  Ottawa,  Canada. 

[2]  Canada,  Government  of,  Treasury  Board  of  Canada  Secretariat,  (2000)  Results  for 
Canadians:  A  Management  Framework  for  the  Government  of  Canada.  Ottawa,  Canada. 

[3]  Canada,  Government  of,  Treasury  Board  of  Canada  Secretariat,  (2001)  Integrated  Risk 
Management  Framework.  Ottawa,  Canada. 

[4]  Canada,  Government  of,  Department  of  National  Defence,  (2001,  April)  VCDS  Letter  to 
Level  l’s,”  Ottawa,  Canada,  p.l. 

[5]  [http://www.vcds.forces.gc.ca/dgsp/pubs/rep-pub/dda/cosstrat/isrm/vcdsLetr_e.asp]. 

[6]  Canada,  Government  of,  Department  of  National  Defence,  (2004,  January)  1000-6-4  (CRS), 
Baseline  Study:  Integrated  Risk  Management  within  the  DND/CF.  Ottawa,  Canada,  p.  14. 

[7]  Ibid.,  p.  15. 

[8]  Canada,  Government  of,  Department  of  National  Defence,  (2005,  October)  Integrated  Risk 
Management  Policy,  Ottawa,  Canada. 

[9]  Canada,  Government  of,  Department  of  National  Defence,  (2005,  October)  Integrated  Risk 
Management  Guidelines,  Ottawa,  Canada. 

[10]  Canada,  Government  of,  Department  of  National  Defence,  (2005,  October)  Integrated  Risk 
Management  Policy,  Ottawa,  Canada,  p.  2. 

[11]  Canada,  Government  of,  Treasury  Board  of  Canada  Secretariat,  (2001)  Integrated  Risk 
Management  Framework.  Ottawa,  Canada,  p.  7. 

[12]  Ibid.,  p.  6. 

[13]  Fischhoff,  B.  (1994).  What  forecasts  (seem  to)  mean.  International  Journal  of  Forecasting, 
10(2),  387-403. 

[14]  Kaplan,  S.  (1997).  The  words  of  risk  analysis.  Risk  Analysis,  17,  489-498. 

[15]  Dowie,  J.  (1999).  Against  risk.  Risk,  Decision  and  Policy,  4(1),  57. 

[16]  Kahneman,  D.  &  Tversky,  A.  (1982).  Variants  of  uncertainty.  Cognition,  11(2),  143-157. 

[17]  Kahneman,  D.  &  Tversky,  A.  (1979).  Prospect  theory:  An  analysis  of  decision  under  Risk. 
Econometrica,  47(2),  236-292. 


DRDC  Toronto  TR  2007-124 


17 


[18]  Fischhoff,  B.,  Slovic,  P.  &  Lichtenstein,  S.  (1978).  Fault  trees:  Sensitivity  of  estimated 
failure  probabilities  to  problem  representation.  Journal  of  Experimental  Psychology >: 

Human  Perception  and  Performance,  4(2),  330-344. 

[19]  International  Organization  for  Standardization  and  International  Electrotechnical 
Commission,  ISO/IEC  Guide  73,  (2002)  Risk  Management  -  Vocabulary  -  Guidelines  for 
Use  in  Standards.  Geneva,  Switzerland. 

[20]  Ibid.,  p.  2. 

[21]  Fischhoff,  B.,  Slovic,  P.  &  Lichtenstein,  S.  (1978).  Fault  trees:  Sensitivity  of  estimated 
failure  probabilities  to  problem  representation.  Journal  of  Experimental  Psychology ?: 

Human  Perception  and  Performance,  4(2),  330-344. 

[22]  Fischhoff,  B.  (1994).  What  forecasts  (seem  to)  mean.  International  Journal  of  Forecasting, 
10(2),  387-403. 

[23]  Canada,  Government  of,  Treasury  Board  of  Canada  Secretariat,  (2001)  Integrated  Risk 
Management  Framework.  Ottawa,  Canada,  p.  5. 

[24]  Hill,  S.  &  Dinsdale,  G.  (2001).  A  Foundation  for  Developing  Risk  Management  Learning 
Strategies  in  the  Public  Service,”  Canada,  Government  of,  Canadian  Centre  for 
Management  Development,  Ottawa,  Canada,  p.5. 

[25]  Canada,  Government  of,  Health  Canada,  (2003,  June)  “Strategy  to  Implement  and 
Integrated  Risk  Management  Framework  in  Health  Canada,”  Ottawa,  Canada,  p.  4. 

[26]  Canada,  Government  of,  Department  of  National  Defence,  (2001,  April)  VCDS  Letter  to 
Level  l’s,”  Ottawa,  Canada,  p.l. 

[27]  Canada,  Government  of,  Department  of  National  Defence,  (2005,  October)  Integrated  Risk 
Management  Guidelines,  Ottawa,  Canada,  p.  2. 

[28]  Ibid.,  p.  7. 

[29]  Canada,  Government  of,  Department  of  National  Defence,  (2002)  Joint  Doctrine  Manual  B- 
GJ-005-502/FP-000,  Risk  Management  for  CL  Operations.  Ottawa,  Canada. 

[30]  Ibid.,  p.  1-1. 

[31]  Ibid.,  p.  1-2. 

[32]  Ibid.,  p.  1-5. 

[33]  Canadian  Standards  Association,  CAN/CSA-Q-850-97,  (October,  1997)  Risk  Management: 
Guideline  for  Decision-Makers.  Etobicoke,  Canada,  p.  3. 


18 


DRDC  Toronto  TR  2007-124 


[34]  International  Organization  for  Standardization  and  International  Electrotechnical 

Commission,  ISO/IEC  Guide  73,  (2002)  Risk  Management  -  Vocabulary  -  Guidelines  for 
Use  in  Standards.  Geneva,  Switzerland,  p.  2. 


DRDC  Toronto  TR  2007-124 


19 


List  of  symbols/abbreviations/acronyms/initialisms 


CF 

Canadian  Forces 

CSA 

Canadian  Standards  Association  Forces 

DND 

Department  of  National  Defence 

DND/CF 

Department  of  National  Defence  and  the  Canadian  Forces 

COA 

Course  of  Action 

GOC 

Government  of  Canada 

HR 

Human  Resources 

ISO/IEC 

International  Organization  for  Standardization  and  the  International 
Electrotechnical  Commission 

ISRM 

Integrated  Strategic  Risk  Management 

IRM 

Integrated  Risk  Management 

IRFM 

Integrated  Risk  Management  Framework 

R  =  EU 

Risk  as  Expected  Utility 

R  =  L 

Risk  as  Loss 

R  =  P 

Risk  as  Probability 

R  =  PM 

Risk  as  the  Integration  of  Probability  and  Magnitude 

R  =  PM* 

Risk  as  the  Fault-Prone  Integration  of  Probability  and  Magnitude 

R  =  V 

Risk  as  Variability 

VCDS 

Vice  Chief  of  Defence  Staff 
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